The Privacy Act 1988 requires health care providers to comply with 13 Australian Privacy Principles which cover collecting, using and disclosing personal information.
Furthermore, it states that health care providers must take reasonable steps to protect personal information records from misuse, interference and loss, and from unauthorised access. Amendments to the Privacy Act 1988 include new mandatory data breach notification laws and will affect organisations with existing obligations under the Act which includes private health service providers. The new mandatory notification laws, to be implemented February 2018, mean that in the event of an eligible data breach, both the Office of the Australian Information Commission (OAIC) and any individual affected must be notified where there is a risk of serious harm.
Data breaches may occur due to theft or deliberate ‘hacking’, but also from internal errors or failure to follow an information handling policy. For a data breach to be considered eligible there must be unauthorised access to or disclosure of information or loss of information where unauthorised access is likely to occur. For the purpose of the Act, personal information amounts to information about an identified individual or an individual who may be identified. Information such as Medicare or other health care details could cause an individual harm if compromised.
In the event of a suspected data breach, remedial action should be taken to mitigate the risk of serious harm. If the action is effective, for example remotely wiping data off a laptop left on the train, the case may not have to be reported. If remedial action is ineffective or cannot be undertaken, a statement must be prepared outlining the information a description of a breach.
Failure to declare a notifiable data breach may result in issuing a data breach notification and penalties of up to $360,000 for an individual or $1.8m for a company in civil penalties. Individuals found in breach of obligations under privacy laws may also be subject of a complaint to AHPRA.
A note about medical indemnity insurance
In most instances, doctors are covered by their insurance for actual or alleged breaches of privacy or confidentiality, however doctors are advised to check with their medical indemnity insurers to check they are covered for fines which may be imposed by the Privacy Commissioner, or damages awarded by the courts. On average, around $15,000 has been awarded by the Privacy Commissioner to individual claimants in cases of health data breaches.
Doctors should also consider the cost and impact of investigations into alleged or actual data breaches which may involve, for example computers and equipment being offline while forensic investigations are being undertaken. Most healthcare clinics have a policy around privacy and cyber security and it is recommended these be reviewed and strengthened, and staff training undertaken where necessary before the new mandatory reporting laws come into place.
A guide to handling personal information security breaches is available from the Office of the Australian Information Commissioner. A draft business resource around handling health information under the Privacy Act for health service providers is also available from the OAIC.